With the Flashback trojan now threatened by extinction thanks to Apple’s new removal tool, it’s time to turn our attention to another threat. A vulnerability in Microsoft Office is allowing the “Backdoor.OSX.SabPub.a” trojan to infect systems running Mac OS X and use a Java exploit to avoid detection from anti-malware products
Once on your system, the trojan can feed back screenshots of your system and execute commands.
Kaspersky’s Costin Raiu says the trojan is already a month old, and it connects to a remote server based in California to receive its instructions. It uses a Java exploit by the name of “Exploit.Java.CVE-2012-0507.bf” in an effort to avoid detection from anti-malware products.
While it’s currently unclear how exactly this trojan is infecting Macs, Raiu says that some reports suggest the trojan is spread via emails that include links to the malware, in addition to infected Office documents. He also states that the trojan is in its “active stage,” and confirmed that it was able to take control of a “goat” machine operating by Kaspersky before searching for documents.
Raiu believes the exploit may be part of the same Pro-Tibetan campaign that spawned malware like “LuckyCat,” which also used infected documents to control machines:
The timing of the discovery of this backdoor is interesting because in March, several reports pointed to Pro-Tibetan targeted attacks against Mac OS X users. The malware does not appear to be similar to the one used in these attacks, though it is possible that it was part of the same or other similar campaigns.
Kaspersky promises that it will continue its research into this malware and recommends that Mac users take the usual precautions to ensure that their machine is safe. That includes keeping your machine and its software up to date, not installing software you didn’t specifically download, and using a good security solution.
[via The Register]
